{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23101", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.965Z", "datePublished": "2026-02-04T16:08:23.329Z", "dateUpdated": "2026-05-11T22:00:04.278Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:00:04.278Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-class: Only Add LED to leds_list when it is fully ready\n\nBefore this change the LED was added to leds_list before led_init_core()\ngets called adding it the list before led_classdev.set_brightness_work gets\ninitialized.\n\nThis leaves a window where led_trigger_register() of a LED's default\ntrigger will call led_trigger_set() which calls led_set_brightness()\nwhich in turn will end up queueing the *uninitialized*\nled_classdev.set_brightness_work.\n\nThis race gets hit by the lenovo-thinkpad-t14s EC driver which registers\n2 LEDs with a default trigger provided by snd_ctl_led.ko in quick\nsuccession. The first led_classdev_register() causes an async modprobe of\nsnd_ctl_led to run and that async modprobe manages to exactly hit\nthe window where the second LED is on the leds_list without led_init_core()\nbeing called for it, resulting in:\n\n ------------[ cut here ]------------\n WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390\n Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025\n ...\n Call trace:\n __flush_work+0x344/0x390 (P)\n flush_work+0x2c/0x50\n led_trigger_set+0x1c8/0x340\n led_trigger_register+0x17c/0x1c0\n led_trigger_register_simple+0x84/0xe8\n snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]\n do_one_initcall+0x5c/0x318\n do_init_module+0x9c/0x2b8\n load_module+0x7e0/0x998\n\nClose the race window by moving the adding of the LED to leds_list to\nafter the led_init_core() call."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/leds/led-class.c"], "versions": [{"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd", "lessThan": "f7a6df659af777058833802c29b3b7974db5e78a", "status": "affected", "versionType": "git"}, {"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd", "lessThan": "d117fdcb21b05c0e0460261d017b92303cd9ba77", "status": "affected", "versionType": "git"}, {"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd", "lessThan": "e90c861411fc84629a240384b0a72830539d3386", "status": "affected", "versionType": "git"}, {"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd", "lessThan": "2757f7748ce2d0fa44112024907bafb37e104d6e", "status": "affected", "versionType": "git"}, {"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd", "lessThan": "da565bf98c9ad0eabcb09fc97859e0b52f98b7c3", "status": "affected", "versionType": "git"}, {"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd", "lessThan": "78822628165f3d817382f67f91129161159ca234", "status": "affected", "versionType": "git"}, {"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd", "lessThan": "d1883cefd31752f0504b94c3bcfa1f6d511d6e87", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/leds/led-class.c"], "versions": [{"version": "3.7", "status": "affected"}, {"version": "0", "lessThan": "3.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a"}, {"url": "https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77"}, {"url": "https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386"}, {"url": "https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e"}, {"url": "https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3"}, {"url": "https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234"}, {"url": "https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87"}], "title": "leds: led-class: Only Add LED to leds_list when it is fully ready", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3426920A-E477-43B8-9E72-5B245C924157", "versionEndExcluding": "5.10.249", "versionStartIncluding": "3.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-class: Only Add LED to leds_list when it is fully ready\n\nBefore this change the LED was added to leds_list before led_init_core()\ngets called adding it the list before led_classdev.set_brightness_work gets\ninitialized.\n\nThis leaves a window where led_trigger_register() of a LED's default\ntrigger will call led_trigger_set() which calls led_set_brightness()\nwhich in turn will end up queueing the *uninitialized*\nled_classdev.set_brightness_work.\n\nThis race gets hit by the lenovo-thinkpad-t14s EC driver which registers\n2 LEDs with a default trigger provided by snd_ctl_led.ko in quick\nsuccession. The first led_classdev_register() causes an async modprobe of\nsnd_ctl_led to run and that async modprobe manages to exactly hit\nthe window where the second LED is on the leds_list without led_init_core()\nbeing called for it, resulting in:\n\n ------------[ cut here ]------------\n WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390\n Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025\n ...\n Call trace:\n __flush_work+0x344/0x390 (P)\n flush_work+0x2c/0x50\n led_trigger_set+0x1c8/0x340\n led_trigger_register+0x17c/0x1c0\n led_trigger_register_simple+0x84/0xe8\n snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]\n do_one_initcall+0x5c/0x318\n do_init_module+0x9c/0x2b8\n load_module+0x7e0/0x998\n\nClose the race window by moving the adding of the LED to leds_list to\nafter the led_init_core() call."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nleds: led-class: Solo a\u00f1adir el LED a leds_list cuando est\u00e9 completamente listo\n\nAntes de este cambio, el LED se a\u00f1ad\u00eda a leds_list antes de que se llamara a led_init_core(), a\u00f1adi\u00e9ndolo a la lista antes de que se inicializara led_classdev.set_brightness_work.\n\nEsto deja una ventana donde led_trigger_register() del disparador predeterminado de un LED llamar\u00e1 a led_trigger_set(), que llama a led_set_brightness(), lo que a su vez terminar\u00e1 encolando el led_classdev.set_brightness_work *no inicializado*.\n\nEsta condici\u00f3n de carrera es activada por el controlador EC de lenovo-thinkpad-t14s, que registra 2 LEDs con un disparador predeterminado proporcionado por snd_ctl_led.ko en r\u00e1pida sucesi\u00f3n. La primera llamada a led_classdev_register() provoca la ejecuci\u00f3n de un modprobe as\u00edncrono de snd_ctl_led y ese modprobe as\u00edncrono logra alcanzar exactamente la ventana donde el segundo LED est\u00e1 en leds_list sin que se haya llamado a led_init_core() para \u00e9l, resultando en:\n\n ------------[ cut here ]------------\n ADVERTENCIA: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390\n Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025\n ...\n Rastreo de llamadas:\n __flush_work+0x344/0x390 (P)\n flush_work+0x2c/0x50\n led_trigger_set+0x1c8/0x340\n led_trigger_register+0x17c/0x1c0\n led_trigger_register_simple+0x84/0xe8\n snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]\n do_one_initcall+0x5c/0x318\n do_init_module+0x9c/0x2b8\n load_module+0x7e0/0x998\n\nCerrar la ventana de la condici\u00f3n de carrera moviendo la adici\u00f3n del LED a leds_list a despu\u00e9s de la llamada a led_init_core()."}], "id": "CVE-2026-23101", "lastModified": "2026-03-19T19:33:02.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:20.977", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: leds: led-class: Only Add LED to leds_list when it is fully ready", "id": "2436766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436766"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23101", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23101\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23101\nhttps://lore.kernel.org/linux-cve-announce/2026020428-CVE-2026-23101-47e0@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:27:14.172055+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the commit to move LED addition after core initialization.", "If an update is not yet available, disable the snd_ctl_led module from loading automatically by adding blacklist snd_ctl_led to /etc/modprobe.d/blacklist.conf to avoid the race during boot.", "For custom drivers that register LEDs, ensure that led_init_core() is called before adding the device to leds_list or use the updated API that guarantees proper initialization."], "summary": {"action": "Patch Kernel", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects Linux kernel builds that have not yet incorporated the commit that moves LED addition to after led_init_core(). Known vulnerable releases include kernel 6.19 release candidates 6.19\u2011rc1 through 6.19\u2011rc6 on systems that load the snd_ctl_led module and use the default LED triggers. Any Linux installation prior to the fix is potentially affected, especially devices that register LEDs during startup, such as Lenovo ThinkPad T14s running those kernels.", "description_and_impact": "The flaw occurs when the kernel adds an LED device to the global leds_list before the device's core initialization has finished. The LED is then referenced by its default trigger before the set_brightness_work structure is properly prepared. When snd_ctl_led is loaded asynchronously, it triggers the early work queueing with an uninitialized structure, causing a kernel warning. The weakness is a temporal race condition (CWE-908) that results in a denial of service.", "risk_and_exploitability": "The CVSS score of 4.7 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. It can be triggered during system boot when the snd_ctl_led module registers LEDs with default triggers before the LEDs are fully initialized. This requires the module to be loaded with kernel privileges during boot or on-demand. Successful exploitation would result in a kernel warning or potential crash, but the CVE description does not disclose any mechanism for privilege escalation or remote exploitation."}}}}, "created": "2026-04-18T18:30:07.292534+00:00", "updated": "2026-04-18T18:30:07.292547+00:00", "vendors": []}